By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Identity Center - "message":"No access" with users from Active Directory

0

I'm getting a "no access" response when I try to access to an account using SSO portal. I've configured AD directory with AD Connector and synced groups. I can login in web and aws cli, see the configured accounts and permissions sets but when I try to access I'm always getting this response:

'{"message":"No access","__type":"com.amazonaws.switchboard.portal#ForbiddenException"}'

Same response from web and aws cli. I tried to roll back to Identity Center directory (local users and groups) and with local users it's working fine. Only fails with AD users. I've checked SSO roles and identity providers are correctly created on every managed account.

Any idea about what is happening?

Thanks and regards, Guillem

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Directory ServiceAWS IAM Identity Center
Language
English
rePost-User-3199548
asked a year ago1074 views
1 Answer
1
Accepted Answer

SOLVED. As commented in https://repost.aws/questions/QUAqB5ERupRE2GY9RcUSA2zQ/problem-with-sso, a mail attribute it's needed for SAML assertions. In my case, mail was empty in our AD. I've mapped userPrincipalName to emails[?primary].value and then it worked.

rePost-User-3199548
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content